RE: draft-ietf-pkix-warranty-extn-01.txt

["Alice Sturgeon" <asturgeon@xxxxxxxxxx>]

Anders,
I respectfully disagree.  You're right that a CA is not like GM or Ford, but
why can a CA not offer a warranty?  Perhaps what is missing here is a
definition of warranty, which, in insurance terms, is attestation of the
intent to provide compensation for harm incurred by using a certificate
(that is, a certificate that is faulty in some way).  Warranty is not the
same as liability; warranty is something that the CA can control, whereas it
cannot completely control liability.  The CA (or indeed any product- or
service-offering company) may try to limit its liability, but regardless of
this attempt, the extent of liability will ultimately be decided by the
courts.
You seem to be defining warranty rather narrowly, as replacement or refund
in the event of an inherent flaw.

Similarly, it seems to me that I define risk management more broadly than
you suggest.  Every time an RP enters into a transaction, or considers doing
so, the RP makes a risk management decision.  This can be quite a natural
and intuitive process, or it can be explicitly defined; either way, the
decision is made, and it will be based on more or less information.  The
more information an RP has, the more informed the risk management decision
will be.  If a certificate contains information pertaining to the existence
of compensation in the event of harm, then the RP has more information on
which to make a risk decision.  Armed with this information, as well as
information about other factors of the transaction, such as value,
sensitivity of information, parties to the transaction (e.g., known or
unknown), etc., the RP's risk is reduced by virtue of knowing more about all
of the risk factors - including warranty.  If there is a TTP involved, this
again becomes a factor in the RP's risk management decision.

My 2 Canadian cents again.

Alice



Alice Sturgeon
Chair
Canadian Advisory Committee - Information Technology Security
ISO/IEC JTC1 SC 27
and
System Policy Architect
SPYRUS
Phone:     613-232-2350
Cell:         613-291-0331



-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On
Behalf Of Anders Rundgren
Sent: November 28, 2002 12:29 PM
To: ietf-pkix@xxxxxxx
Subject: Re: draft-ietf-pkix-warranty-extn-01.txt


Hi,

After reading this draft I believe the name "warranty" is a bit
misleading.  It is, (or should IMHO at least be), focused on
CA liability issues as a CA cannot be compared to a car maker,
as the only the latter will repair or replace their products in case
of faults.  Well, to get a "replacement" certificate would be the
equivalence but that is sort of taken for granted anyway. :-)

                  CA-liability-extn

seems to be closer to what we are actually dealing with.

I would also be very cautious about RP "risk management"
because that's rather fictional.  The risk you take by accepting
an unknown[*] business partner is likely to be magnitudes bigger
than accepting their certificates.   If the CA is unknown as well
you have nothing to build PKI trust on either.

For TTP CAs OTOH, "risk management" with respect to
client-certificates is a part of their daily bread.

Just my 2 öres

Anders

*] with respect to performance, trustworthiness, credibility etc.